home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
To: kerberos@mit.edu Date: Sat, 07 Oct 2023 21:21:23 +0200 Message-ID: <2245400.ev0DxJNslZ@invader> MIME-Version: 1.0 From: Marco Rebhan via Kerberos <kerberos@mit.edu> Reply-To: Marco Rebhan <me@dblsaiko.net> Content-Type: multipart/mixed; boundary="===============2142456622829983585==" Errors-To: kerberos-bounces@mit.edu --===============2142456622829983585== Content-Type: multipart/signed; boundary="nextPart3695493.AgQMKszzaT"; micalg="pgp-sha256"; protocol="application/pgp-signature" --nextPart3695493.AgQMKszzaT Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii"; protected-headers="v1" From: Marco Rebhan <me@dblsaiko.net> To: kerberos@mit.edu Subject: About the purpose of client host principals for NFS Date: Sat, 07 Oct 2023 21:21:23 +0200 Message-ID: <2245400.ev0DxJNslZ@invader> MIME-Version: 1.0 Hey list, I'm currently setting up Kerberos for my home network. The main motivation was to get secure NFS, and as such I've looked at various guides on how to set it up for that. They (for example, the Arch Wiki[1]) pretty much all tell you to create principals for the host and NFS service for both the NFS server and clients that want to connect. However, after setting up the NFS server and my Linux PC like this, I tested the whole setup with my MacBook which doesn't have a host principal or any other krb5 configuration yet (it can find the KDC due to DNS), and to my surprise it can both obtain a TGT for my user and afterwards also mount the NFS share. What purpose does the host principal for clients serve here? I assumed it would be either used to authenticate hosts before they're allowed to obtain a TGT, or authenticate for mounting NFS shares, but clearly that's not the case since it works without. Is it only used so that the network share can be mounted without a user TGT? Thanks, Marco [1]: https://wiki.archlinux.org/title/Kerberos#NFS_security --nextPart3695493.AgQMKszzaT Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part. Content-Transfer-Encoding: 7Bit -----BEGIN PGP SIGNATURE----- iQIzBAABCAAdFiEEUuA5X09baU5GfLYxyND744GinTYFAmUhr7MACgkQyND744Gi nTaLEw//b2Ddhi/0UcRTAjQ1vlkJFKJ4uuqGZROFiNOOcGgT5S8eZ5CUr5gDfmrb gxfoLWtMvItfFGIuigVimEIQkf5eeFsEkuCqFLTiyL+rGuEwEZdrxfACH3E/JDQw Z/VHc54pu2HfBqwyMCpei0ykOzB/0qfZGMAAdXhRZ9zkNbN/D3RJ5ZlgpkzAZVwh sOgLhk3YCs9raNrItZXgRKHTKZfB0TAaMrwFyAMEm/EzkeFXBSpeL5l08bT/j6ig 2MuJ8wK4wrdUGGEFgkRx7h5ZfI7NwwgWOuZLlhmvX1dDgqM0xZfredbl4XRoN1ei W1qkTkuve+OiEFgG2A8W1sIIpUUvZbtJew+f5Jb9wUQ7nIqCpi5jSYnqhGdDlupV OZErWy8u9PWv6+D6b3jkWFjLJNLwuzYFFdPdkS6CoxoB1zrAXGSezSOr/Ok7Wfbk rKx31GFE4hfZYTOAi0ucK2GZK8xyaBYNbzVyxHUJ2tu112EhyTLresXusitq0Nn1 qSFVqScbAnmrFPBb2Q4b1to0nOBnohENA0Iof+JmnSq2G1zirEE3DVuC8Ryw8X0z PYu7RMnF+mKfuZv/tF5br/3vQqC6eDP9zBhIb2UGmgX35gE3CWoqNxJbfg/ZN0/O 5O8VavwkV5AQu4B+jQjtXwJoU0vdHXplf/t52w4hH/WbJw2OY5E= =5G/h -----END PGP SIGNATURE----- --nextPart3695493.AgQMKszzaT-- --===============2142456622829983585== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline ________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos --===============2142456622829983585==--
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |